No. As @DSkowronski points out below, group policies apply to domains, and have no effect on local accounts. You'll have to apply a local policy on each workstation.
–
user3914Jul 4 '12 at 22:59

@RandolphWest: User Configuration group policy settings don't apply to local accounts, but the Account Lockout Threshold is a Computer Configuration policy. It does affect local accounts.
–
Harry JohnstonJul 5 '12 at 23:33

3 Answers
3

The Account Lockout Policy for domain users is defined by the settings in either the Default Domain Policy or the Default Domain Controllers Policy object. The documentation is unclear (see here and compare to here) as to which of these contain the domain user settings by default, and does not describe how the settings for user accounts are located in non-default configurations. It may depend upon the version of Windows Server. In any case, we can easily avoid depending on the exact behaviour.

Your member workstations should already be located in one or more OUs. If you create a group policy object and apply it to those OUs, the Account Lockout Policy settings in that GPO will take precedence over the settings in the Default Domain Policy object (if any). The Default Domain Controllers Policy object only applies to the Domain Controllers OU so they will not affect your member servers in any case.

Provided that you don't apply your GPO to the root of the domain, the Domain Controllers OU, or at the Site level, it definitely won't affect domain user accounts, even if those accounts are logging into the servers in question. (It should be possible to apply the GPO at the root of the domain and make it work, but the details are a bit complicated so I don't recommend trying it.)

It's pretty much bog standard group policy, except for the uncertainty about just what rules apply to domain users. In fact, I suspect that part is simple, too: domain user ALP is probably determined by whatever group policy settings are being applied to the domain controller processing the logon attempts. But the documentation suggests otherwise, hence the cautious approach.
–
Harry JohnstonJul 7 '12 at 5:58

You could change local Account Lockout Threshold using group policy by pushing startup script with "NET ACCOUNTS /LOCKOUTDURATION:XX" command (where XX is in minutes), but that would only have short term effect. When local computer is joined to a domain, it is obtaining security policy from the domain's policy or from the policy of any organizational unit that it is member of.

When you modify the security settings on your local computer using the local security policy (which NET ACCOUNTS command does), then you are directly modifying the settings on your computer. Therefore, the settings take effect immediately, but this may only be temporary. The settings will actually remain in effect on your local computer until the next refresh of Domain Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts. The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes